• Advertise
  • Subscribe
  • Forums
  • Buyer's Guide
  • Contact Us
  • Connect on LinkedIn
    1. Security Executives

    How online threats and AI manipulation are endangering corporate executives

    Feb. 21, 2025
    According to a new Nisos report, the rise in online hostility toward corporate leaders is staggering, with over 2,200 direct threats against CEOs identified in just five weeks following the murder of UnitedHealthcare CEO Brian Thompson.
    Antonio_Diaz / Getty Images
    As digital and physical threats converge, executives face rising risks from AI-driven disinformation, deepfake attacks, and online harassment. Proactive monitoring and narrative intelligence are now critical for corporate security.
    As digital and physical threats converge, executives face rising risks from AI-driven disinformation, deepfake attacks, and online harassment. Proactive monitoring and narrative intelligence are now critical for corporate security.

    The shooting death of UnitedHealthcare CEO Brian Thompson on the streets of New York City sent shockwaves through the corporate world. It was a grim reminder that online vitriol, doxxing and targeted harassment can have real-world consequences.

    In the aftermath of his death, security experts are sounding the alarm: high-profile executives are increasingly becoming the targets of online narrative attacks, AI-manipulated deepfakes, phishing attempts and even physical violence.

    The Rise of Digital Threats Against Executives

    Executives today operate under an unprecedented level of public scrutiny, facing coordinated attacks that blend digital harassment, misinformation campaigns and physical intimidation. Hyper-agenda-driven threat actors, cybercriminals and even nation-states are increasingly integrating these tactics to manipulate narratives, disrupt corporate operations and endanger business leaders.

    This convergence of digital and physical threats represents a significant evolution in executive security risks, requiring a more sophisticated approach to mitigation.

    “Threat actors, cybercriminals and nation-states are now using AI to generate and disseminate harmful narrative attacks quickly, at scale, with minimal risk and at low cost,” explains Wasim Khaled, CEO of Blackbird.AI, a company that uses AI to help organizations identify and respond to threats from misinformation and disinformation. “Deepfakes, chatbot-driven information campaigns and generative AI content creation — images, video and audio — are being used to target executives and companies to cause physical and emotional harm, fraud, cyberattacks, fake cyberattacks, stock manipulation, merger and acquisition disruptions, and impact brand reputation.”

    A single social media post can rapidly escalate into a full-scale reputational crisis, with damaging financial and personal implications.

    According to a recent report by Nisos, a cybersecurity company specializing in providing managed intelligence services, the rise in online hostility toward corporate leaders is staggering. Between June and December 2024, over 1,560 direct threats against CEOs were identified. Following Thompson’s murder, that number surged to over 2,200 threats in just five weeks.

    Landon Winkelvoss, co-founder and vice president of legal & intelligence advisory at Nisos, emphasizes the importance of reviewing and assessing the total context to differentiate credible threats from noise.

    “This includes taking a broader view of the poster’s profile and their activities over time to identify any history of violence, criminal record and escalation across open source and closed forums and platforms,” he explains. “It’s also important to assess the poster’s intent and access. One way this can be done is through analyzing their use of stylometric attributes and language. For example, ‘What is the CEO’s address’ reflects less intent than ‘I’m going to the CEO’s address.’”

    Alarmingly, online aggressors have developed coded language to bypass automated detection. Terms like “Luigi’d” and “pull a Luigi” — in reference to Thompson’s killer, Luigi Mangione — have emerged as euphemisms for attacking executives. This shift illustrates how quickly digital threats can evolve, making traditional security measures insufficient.

    While it’s never been a secret that C-suite executives often face threats and negative sentiment online, Winkelvoss says, the murder of United Healthcare’s CEO has become a wake-up call for businesses across the globe that online hostility can quickly escalate into real-world violence.

    “Because of this, corporate and executive security teams have been reassessing and strengthening their protective measures, including threat assessment programs, personal security details, and situational awareness training for executives,” he says. 

    The Need for Proactive Threat Monitoring

    The assassination of a high-profile CEO is an extreme case, but executives across industries face daily threats that extend beyond physical security. Nisos’ research emphasizes that personal information, location data and digital footprints left across social media and deep web marketplaces serve as vulnerabilities that malicious actors exploit.

    As digital threats grow more complex, executives find themselves vulnerable in ways traditional security measures fail to address. This is especially true for the rise of narrative attacks, which exploit gaps in conventional threat detection systems. 

    “Narrative attacks are a new threat vector that cybersecurity teams are not prepared for, as traditional threat intelligence tools look at individual posts or fake accounts, but do not look at narratives,” Kahled says. “It’s a blind spot for cybersecurity teams and they are being asked to look for solutions that can fill this gap as they are in the best position to protect against them. A year ago, it wasn’t a top threat but over the past six months, it has become a top priority for global companies and national security organizations.”

    Winkelvoss adds that modern executive protection programs must incorporate executive vulnerability assessments, PII exposure removal, digital footprint management, and continuous Open-Source Intelligence (OSINT) monitoring.

    “Many traditional executive protection programs only focused on a combination of physical security protections and the removal of critical information from public company assets and the dark web,” he notes. “However, to be truly effective, executive protection programs require expertise across both the physical and the digital realms. Personal and location details readily available through people search sites, deep and dark web marketplaces, social media, and adtech data can provide threat actors with the information needed to stage a physical attack.”

    Social media, for example, is one of the most overlooked — and easiest to find and exploit forms of data out there. Many executives and organizations overlook the outsized security issues created by family and friends posting about activities, locations and vacations and sharing photos containing identifying information, Winkelvoss explains.

    Many traditional executive protection programs only focused on physical security protections and removing critical information from public company assets and the dark web. However, to be truly effective, executive protection programs require expertise across both the physical and the digital realms.

    - Landon Winkelvoss, co-founder and vice president of legal & intelligence advisory at Nisos

    “Modern executive protection programs need to incorporate executive vulnerability assessments, PII exposure removal, digital footprint management, and continuous monitoring of OSINT,” he adds.

    Nisos’ report reveals that between Dec. 4, 2024, and Jan. 10, the term “Luigi'd” was used in over 12,900 online discussions, many of which were direct threats against business leaders. Additionally, the phrase “pull a Luigi” appeared in nearly 1,850 posts, indicating a disturbing trend where online hostility is escalating into real-world threats. NISOS researchers also found that threats frequently arise in response to executive decisions on business partnerships, product rollouts, and corporate policies.

    To combat these growing risks, experts recommend a multi-layered approach that includes:

    • Executive vulnerability analysis: Identifying and mitigating risks by removing personally identifiable information (PII) from publicly accessible sources.

    • Continuous online monitoring: Detecting and analyzing threats in real time, including coded language and emerging online narratives. “Narrative Intelligence is the new category designed to protect against narrative attacks,” explains Khaled. “It leverages good AI to give you visibility into the harmful narratives targeting your executives, organization and industry, the influence behind them, the networks they infect, the anomalous (bot) behavior that scales them, the cohorts and communities that connect and amplify them — all visible through a single AI-based Narrative Intelligence platform.”

    • Deepfake and AI manipulation protection: Addressing reputational attacks that use fabricated images, videos or statements to distort reality.

    • Social engineering defense strategies: Training executives to recognize phishing attempts and misinformation campaigns aimed at undermining their credibility.

    • Physical security enhancements: Increasing personal security measures, such as situational awareness training and protective details.

    Winkelvoss cites one example was when OSINT played a crucial role in preventing a potential threat against an executive, in this case helping a client identify and mitigate a bomb threat. During routine monitoring of dark web, open web and social media channels for the client, Nisos identified several imminent physical security threats to the CEO.

    “These threats had evaded detection thus far. Our data sources included social media sites, discussion groups, hacking forums and deep and dark web marketplaces. Our human-driven investigation involved a multi-step process in which we triaged alerts and analyzed profiles related to persons of interest and groups of interest,” he explains.  

    Ultimately, analysts uncovered bomb threats directed at the client’s executive team in deleted posts on social media channels.

    “The severity and frequency of these threats was impossible to ignore,” Winkelvoss says. “We went to work to find the individuals responsible and refer the findings to law enforcement before the situation escalated into a real-world security incident.”

    About the Author

    Rodney Bosch | Editor-in-Chief/SecurityInfoWatch.com

    Rodney Bosch is the Editor-in-Chief of SecurityInfoWatch.com. He has covered the security industry since 2006 for several major security publications. Reach him at [email protected].

    Email